On Wed, Jun 16, 2021 at 10:24:58AM +0800, Li Jun wrote:
> If wIndex is 0 (and it often is), these calculations underflow and
> UBSAN complains, here resolve this by not decrementing the index when
> it is equal to 0, this copies the solution from commit 85e3990bea49
> ("USB: EHCI: avoid undefined pointer arithmetic and placate UBSAN")
>
> Reported-by: zhipeng.wang <zhipeng.wang_1@xxxxxxx>
> Signed-off-by: Li Jun <jun.li@xxxxxxx>
> ---
> drivers/usb/chipidea/host.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/chipidea/host.c b/drivers/usb/chipidea/host.c
> index e86d13c04bdb..25327b1b49b7 100644
> --- a/drivers/usb/chipidea/host.c
> +++ b/drivers/usb/chipidea/host.c
> @@ -241,14 +241,16 @@ static int ci_ehci_hub_control(
> {
> struct ehci_hcd *ehci = hcd_to_ehci(hcd);
> u32 __iomem *status_reg;
> - u32 temp;
> + u32 temp, port_index;
> unsigned long flags;
> int retval = 0;
> bool done = false;
> struct device *dev = hcd->self.controller;
> struct ci_hdrc *ci = dev_get_drvdata(dev);
>
> - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1];
> + port_index = wIndex & 0xff;
> + port_index -= (port_index > 0);
> + status_reg = &ehci->regs->port_status[port_index];
>
> spin_lock_irqsave(&ehci->lock, flags);
>
> @@ -288,7 +290,7 @@ static int ci_ehci_hub_control(
> ehci_writel(ehci, temp, status_reg);
> }
>
> - set_bit((wIndex & 0xff) - 1, &ehci->suspended_ports);
> + set_bit(port_index, &ehci->suspended_ports);
> goto done;
> }
Does this code test anywhere to ensure that wIndex > 0 and wIndex <=
number of ports?
Alan Stern
